New York Times site hack shifts attention to registry locks

One way that owners of major websites can mitigate the risk of their domains being hijacked like The New York Times' site was on Tuesday is to apply what is known as a registry lock on the domain, security researchers say.

One way that owners of major websites can mitigate the risk of their domains being hijacked like The New York Times' site was on Tuesday is to apply what is known as a registry lock on the domain, security researchers say.

A registry lock is basically a mechanism under which any requests for changes to a domain name server have to be manually verified and authenticated by a top-level domain owner like Verisign and NeuStar, which operate the dotcom and dotbiz domains respectively.

A registry lock provides an additional layer of protection against DNS tampering and is particularly useful in situations where a domain name registrar might be compromised, the security researchers said.

On Tuesday, The Times blamed a prolonged website outage on a hacking attack at the company's Australia-based domain name registrar, Melbourne IT.

The Times said hackers belonging to the Syrian Electronic Army (SEA) gained access to the company's DNS records by compromising its domain name registrar. The attackers then used that access to change the paper's DNS record so it was pointing to systems in Syria and Moscow.

Melbourne IT, in turn, blamed the outage on one of its resellers, whose account was apparently compromised and used to change several domain names, including that of The Times, Twitter and others.

H.D. Moore, chief research officer at security vendor Rapid7, said registry locks make it much more difficult to make such DNS changes.

Typically, changes to name servers are handled directly by domain registrars such as Melbourne IT and not by the top-level domain owners. A registry lock prevents the registrar from making any changes on its own and instead allows changes to be made only with the approval of the top-level owner.

"Instead of updating a record through your registrar's website, you have to contact the [Top Level Domain] owner instead and go through a secondary form of authentication," Moore said. "It makes sense for big brands, but does impose a maintenance penalty on organizations who change DNS providers frequently."p>

At the time of the attack, many of the major websites hosted by Melbourne IT did not have a registry lock in place, Moore said. Among the companies using Melbourne IT are Yahoo, Google, Microsoft, Ikea, AOL and dozens of other major site owners.

While there is no evidence that the attackers made changes to any of these domains, they were potentially vulnerable, Moore said. "In other words, things could have been much worse."

Since the attacks on The Times, several of the websites using Melbourne IT as a registrar have applied registry locks, Moore said. Among the websites that appear to have put a lock in place are the Huffington Post, Mapquest, Starbucks and Twitter's TweetDeck. However, many other major websites using Melbourne IT have not done so yet, and remain vulnerable.

Matthew Prince, co-founder of CloudFlare, saiddomain registrars generally do not make it easy for website owners to request registry locks, however. "[Locks] make processes like automatic renewals more difficult," Prince said in a blog post. "However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place."